← Back to Skills Marketplace
460
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install tokamak-vault-breach
Description
Participate in the Tokamak Network Vault Breach Challenge - an AI security Capture The Flag (CTF) game where you interact with a secured AI agent to extract...
Usage Guidance
This skill is an instruction-playbook for actively trying to extract secrets from a remote AI agent. That makes it high-risk even though it has no install or credential requests. Before installing or using it: 1) Confirm you have explicit authorization to test the listed URL/target (unauthorized access may be illegal). 2) Do not provide your own credentials or private keys to the skill or the remote dashboard. 3) Prefer to run any interactions in an isolated/sandboxed environment and avoid enabling autonomous, unsupervised runs. 4) Verify the dashboard URL and community links independently (they could be malicious or phishing). 5) If you cannot verify the source/owner or the legality of the challenge, do not proceed — treat this as potentially abusive guidance rather than a benign utility.
Capability Analysis
Type: OpenClaw Skill
Name: tokamak-vault-breach
Version: 1.0.0
The skill is designed for an AI security Capture The Flag (CTF) challenge, instructing the OpenClaw agent to interact with an external, untrusted server at `https://tokamak-network-openfang-vault-production.up.railway.app/` (as seen in SKILL.md). It directs the agent to make external network calls using `curl` and process responses via shell commands like `jq`. While the stated intent is educational, the execution of shell commands with data fetched from an external domain introduces a vulnerability risk (e.g., potential RCE if the external server is compromised or malicious and returns crafted data that exploits `jq` or shell parsing), classifying it as suspicious rather than benign. The instructions for 'prompt injection' and 'file system access' are directed at the *target AI agent* on the CTF platform, not the OpenClaw agent itself.
Capability Assessment
Purpose & Capability
The name/description match the instructions: this is an instruction-only CTF/playbook for extracting a secret seed from a remote AI agent. There are no unrelated required binaries, env vars, or installs, so the declared capabilities align with the stated purpose.
Instruction Scope
The SKILL.md explicitly instructs the agent to perform social engineering, prompt-injection, and file-system exfiltration (e.g., attempt to read /vault.key) via the target's chat API. It gives open-ended guidance to probe the agent and 'bypass' protections, which grants broad discretion and encourages sensitive-data extraction. While coherent with a CTF objective, these actions are high-risk and can be used for unauthorized access; the instructions do not constrain or limit potentially abusive behavior.
Install Mechanism
No install specification or code files are provided; the skill is instruction-only. This minimizes disk/execution risk from the skill bundle itself.
Credentials
The skill requests no environment variables, credentials, or config paths, which is proportionate to an instruction-only guide. Note: although the skill doesn't request your secrets, it instructs the agent to attempt to extract secrets from a remote agent and to interact with external endpoints, so the interaction could induce credential exposure if misused.
Persistence & Privilege
The skill does not request always:true or other elevated installation privileges. Model invocation is allowed (default), which is normal; however, because the instructions encourage exfiltration techniques, allowing autonomous invocation could increase risk if the agent is permitted to act without supervision.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install tokamak-vault-breach - After installation, invoke the skill by name or use
/tokamak-vault-breach - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
- Initial release of the Tokamak Vault Breach skill for the CTF challenge.
- Provides full instructions for engaging with the Tokamak Vault AI agent via API and dashboard.
- Includes step-by-step guide for API discovery, attack strategies, and reward claiming.
- Outlines agent capabilities, endpoints, and example API interactions.
- Offers hints, community links, and quick reference for participants.
Metadata
Frequently Asked Questions
What is tokamak-vault-breach?
Participate in the Tokamak Network Vault Breach Challenge - an AI security Capture The Flag (CTF) game where you interact with a secured AI agent to extract... It is an AI Agent Skill for Claude Code / OpenClaw, with 460 downloads so far.
How do I install tokamak-vault-breach?
Run "/install tokamak-vault-breach" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is tokamak-vault-breach free?
Yes, tokamak-vault-breach is completely free (open-source). You can download, install and use it at no cost.
Which platforms does tokamak-vault-breach support?
tokamak-vault-breach is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created tokamak-vault-breach?
It is built and maintained by 0xHammerr (@0xhammerr); the current version is v1.0.0.
More Skills